Capital One discovered more customers’ SSNs exposed in 2019 hack

More clients of Capital One have been impacted in the 2019 data breach, the US bank is notifying them of their SSNs exposure.

US bank Capital One notified a number of additional customers that their Social Security numbers were exposed in the data breach that took place in July 2019.

A hacker that was going online with the handle “erratic” breached the systems at Capital One and gained access to personal information from 106 million Capital One credit applications.

Law enforcement arrested the hacker Paige A. Thompson for the security breach.

Paige Thompson is a former Amazon Web Services software engineer who worked for a Capital One contractor from 2015 to 2016.

THOMPSON posted about the Capital One hack on GitHub, she exploited a misconfigured web application firewall to get access to the data.  On July 17, 2019, Capital One was informed of the incident by a GitHub user who saw the post.  On July 19, 2019, that financial institution discovered the intrusion and informed the FBI.

Capital One immediately fixed the configuration issue exploited by the hacker.

Paige A. Thompson was charged with computer fraud and abuse in U.S. District Court in Seattle.

The security breach data breach took place on March 22nd and 23rd, the hacker accessed information of customers who had applied for a credit card between 2005 and 2019.

“Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.” states a press release published by Capital One. “Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Securitynumbers were not compromised.”

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.”

Exposed data includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Attackers also obtained portions of credit card customer data, including: 

• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

The hacker accessed bank account numbers and Social Security numbers only for a limited number of customers:

• About 140,000 Social Security numbers of our credit card customers
• About 80,000 linked bank account numbers of our secured credit card customers

Now Capital One while analyzing data stolen during the 2019 security breach with the help of a third-party expert, discovered that intruders gained access to some of its customers’ SSNs.

“Recently, Capital One re-examined the files that were impacted by the 2019 data security incident using new and more advanced tools. As part of this analysis, we determined that your Social Security number was among the data to which the unauthorized individual gained access.” reads the letter sent by the bank to the impacted customers.

Capital One estimated the overall economic impact of the data breach at $100-$150 million.

In 2020, Capital One was fined $80 million by the Office of the Comptroller of the Currency (OCC) for having failed to protect data of its customers.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Capital One)

[adrotate banner=”5″]

[adrotate banner=”13″]